portland independent media center  
images audio video
newswire article commentary global

actions & protests | education | technology

TCP Port 135 (epmap)

Ever think of why you might have lost your browser cache while surfing the web? You may want to know about TCP Port 135 (epmap) for starters.
This port can do many things to your computer if you don't have a firewall to stop intrusions attempts like these listed below. Take a good long look at where these attempted intrusions were coming from: "seattle1.level3.net!"

These attempted attacks on my computer came when I was looking around here at Portland.indymedia. This was two days of reading articles from this site. This list does not include other types of intrusions not listed but dully noted on my logs. This only covers TCP Port 135, that is used to stop you r browser, delete your browser cache or whatever the sender intended to do in stopping your computer from working- like crashing it.

I'll cover "TCP SMB over IP" later. As some of those listed below do use this TCP Port to do other things to your computer you may not be a where of.

Now, there may be some people who post a comment to this article stating I don't know what I am talking about, but you have to understand one very important thing here, I have been using computers and online for 8 years being active in speaking out against the replugican party ever since signing on with aol (wish is another subject I could write about later) using a 3 watt bag phone to where I am today.

The more we speak our minds about this current government and the loser sitting in the oval office, the more we are likely to encounter more of these types of intrusions into our computers by the government and/or its followers (the brown shirts), wanting to take away more freedoms all of us and attempt to rule the world.

This is the reality of the internet today, where nut cases are paid to harass the citizens, attempt to shut down their computers if we don't follow orders.

I think everyone should have a copy of the list of TCP ports and print them off to have handy when trying to understand the workings of the internet and how youre computer makes connections using the TCP stack. You have to know where you can be hit and how best to stop them before they happen.

Learn all there is to know about your own computer from the outside to the inside. Don't be a fooled.


12/4/04, 1:24:44 AM to 12/5/04, 10:00:26 PM

USER ID IP ADDRESS TIMESTAMP OF ENTRY ON LOG

dialup-4.242.96.39.dial1.seattle1.level3.net = 4.242.96.39, timestamp: 12/5/04, 9:59:57 PM

dialup-4.242.111.185.dial1.seattle1.level3.net = 4.242.111.185, timestamp: 12/5/04, 9:59:09 PM

dialup-4.242.147.39.dial1.seattle1.level3.net = 4.242.147.39, timestamp: 12/5/04, 9:58:50 PM

dialup-4.242.219.38.dial1.seattle1.level3.net = 4.242.219.38, timestamp: 12/5/04, 9:57:25 PM

dialup-4.242.234.5.dial1.seattle1.level3.net = 4.242.234.5, timestamp: 12/5/04, 9:55:40 PM

dialup-4.242.213.188.dial1.seattle1.level3.net = 4.242.213.188, timestamp: 12/5/04, 9:55:39 PM

dialup-4.242.216.249.dial1.seattle1.level3.net = 4.242.216.249, timestamp: 12/5/04, 9:55:17 PM

dialup-4.242.9.170.dial1.seattle1.level3.net = 4.242.9.170, timestamp: 12/5/04, 9:53:27 PM

dialup-4.242.51.21.dial1.seattle1.level3.net = 4.242.51.21, timestamp: 12/5/04, 9:53:22 PM

dialup-4.242.189.219.dial1.seattle1.level3.net = 4.242.189.219, timestamp: 12/5/04, 9:51:17 PM

dialup-4.242.66.195.dial1.seattle1.level3.net = 4.242.66.195, timestamp: 12/5/04, 9:46:06 PM

dialup-4.242.96.39.dial1.seattle1.level3.net = 4.242.96.39, timestamp: 12/5/04, 9:45:04 PM

dialup-4.242.234.5.dial1.seattle1.level3.net = 4.242.234.5, timestamp: 12/5/04, 9:44:36 PM

dialup-4.242.108.60.dial1.seattle1.level3.net = 4.242.108.60, timestamp: 12/5/04, 9:41:59 PM

dialup-4.240.250.193.dial1.phoenix1.level3.net = 4.240.250.193, timestamp: 12/5/04, 9:38:00 PM

dialup-4.242.6.216.dial1.seattle1.level3.net = 4.242.6.216, timestamp: 12/5/04, 9:36:29 PM

dialup-4.242.60.43.dial1.seattle1.level3.net = 4.242.60.43, timestamp: 12/5/04, 9:33:10 PM

dialup-4.242.144.30.dial1.seattle1.level3.net = 4.242.144.30, timestamp: 12/5/04, 9:32:41 PM

dialup-4.242.9.219.dial1.seattle1.level3.net = 4.242.9.219, timestamp: 12/5/04, 9:32:35 PM

dialup-4.242.216.84.dial1.seattle1.level3.net = 4.242.216.84, timestamp: 12/5/04, 9:31:19 PM

dialup-4.242.180.211.dial1.seattle1.level3.net = 4.242.180.211, timestamp: 12/5/04, 9:28:58 PM

dialup-4.242.72.92.dial1.seattle1.level3.net = 4.242.72.92, timestamp: 12/5/04, 9:26:52 PM

dialup-4.242.63.22.dial1.seattle1.level3.net = 4.242.63.22, timestamp: 12/5/04, 9:26:20 PM

dialup-4.242.6.204.dial1.seattle1.level3.net = 4.242.6.204, timestamp: 12/5/04, 9:19:31 PM

dialup-4.241.33.155.dial1.sandiego1.level3.net = 4.241.33.155, timestamp: 12/5/04, 9:18:11 PM

dialup-4.242.165.53.dial1.seattle1.level3.net = 4.242.165.53, timestamp: 12/5/04, 9:10:21 PM

dialup-4.242.198.225.dial1.seattle1.level3.net = 4.242.198.225, timestamp: 12/5/04, 9:09:46 PM

dialup-4.242.24.220.dial1.seattle1.level3.net = 4.242.24.220,timestamp: 12/5/04, 9:09:27 PM

dialup-4.242.39.213.dial1.seattle1.level3.net = 4.242.39.213, timestamp: 12/5/04, 9:07:13 PM

dialup-4.242.159.81.dial1.seattle1.level3.net = 4.242.159.81, timestamp: 12/5/04, 9:07:05 PM

dialup-4.242.3.212.dial1.seattle1.level3.net = 4.242.3.212, timestamp: 12/5/04, 9:07:05 PM

dialup-4.242.63.51.dial1.seattle1.level3.net = 4.242.63.51, timestamp: 12/5/04, 9:06:09 PM

dialup-4.242.3.102.dial1.seattle1.level3.net = 4.242.3.102, timestamp: 12/5/04, 9:05:01 PM

dialup-4.242.213.188.dial1.seattle1.level3.net = 4.242.213.188, timestamp: 12/5/04, 9:04:20 PM

dialup-4.242.6.140.dial1.seattle1.level3.net = 4.242.6.140, timestamp: 12/5/04, 9:03:20 PM

dialup-4.242.78.43.dial1.seattle1.level3.net = 4.242.78.43, timestamp: 12/5/04, 9:03:00 PM

dialup-4.242.195.127.dial1.seattle1.level3.net = 4.242.195.127, timestamp: 12/5/04, 9:02:43 PM

dialup-4.242.168.71.dial1.seattle1.level3.net = 4.242.168.71, timestamp: 12/5/04, 9:02:34 PM

dialup-4.242.9.170.dial1.seattle1.level3.net = 4.242.9.170, timestamp: 12/5/04, 9:02:32 PM

dialup-4.242.210.3.dial1.seattle1.level3.net = 4.242.210.3, timestamp: 12/5/04, 9:02:08 PM

dialup-4.242.198.225.dial1.seattle1.level3.net = 4.242.198.225, timestamp: 12/5/04, 9:01:09 PM

dialup-4.242.27.36.dial1.seattle1.level3.net = 4.242.27.36, timestamp: 12/5/04, 8:59:47 PM

dialup-4.242.151.200.dial1.seattle1.level3.net = 4.242.151.200, timestamp: 12/5/04, 8:59:06 PM

dialup-4.242.189.101.dial1.seattle1.level3.net = 4.242.189.101, timestamp: 12/5/04, 8:57:29 PM

dialup-4.242.33.156.dial1.seattle1.level3.net = 4.242.33.156, timestamp: 12/5/04, 8:57:28 PM

dialup-4.242.189.177.dial1.seattle1.level3.net = 4.242.189.177, timestamp: 12/5/04, 8:54:43 PM

dialup-4.242.153.124.dial1.seattle1.level3.net = 4.242.153.124, timestamp: 12/5/04, 8:53:58 PM

dialup-4.242.63.176.dial1.seattle1.level3.net = 4.242.63.176, timestamp: 12/5/04, 8:51:31 PM

dialup-4.242.162.71.dial1.seattle1.level3.net = 4.242.162.71, timestamp: 12/5/04, 8:49:57 PM

dialup-4.242.147.6.dial1.seattle1.level3.net = 4.242.147.6, timestamp: 12/5/04, 8:49:50 PM

dialup-4.242.72.39.dial1.seattle1.level3.net = 4.242.72.39, timestamp: 12/5/04, 8:48:50 PM

dialup-4.242.15.68.dial1.seattle1.level3.net = 4.242.15.68, timestamp: 12/5/04, 8:48:20 PM

dialup-4.242.9.238.dial1.seattle1.level3.net = 4.242.9.238, timestamp: 12/5/04, 8:48:09 PM

wbar7.sea1-4-4-040-140.sea1.dsl-verizon.net = 4.4.40.140, timestamp: 12/5/04, 8:41:47 PM

dialup-4.242.93.84.dial1.seattle1.level3.net = 4.242.93.84, timestamp: 12/5/04, 8:40:14 PM

dialup-4.242.156.241.dial1.seattle1.level3.net = 4.242.156.241, timestamp: 12/5/04, 8:37:53 PM

dialup-4.242.66.111.dial1.seattle1.level3.net = 4.242.66.111, timestamp: 12/5/04, 8:37:10 PM

dialup-4.242.165.53.dial1.seattle1.level3.net = 4.242.165.53, timestamp: 12/5/04, 8:36:30 PM

dialup-4.242.45.77.dial1.seattle1.level3.net = 4.242.45.77, timestamp: 12/5/04, 8:35:36 PM

dialup-4.242.93.70.dial1.seattle1.level3.net = 4.242.93.70, timestamp: 12/5/04, 8:32:30 PM

dialup-4.242.156.241.dial1.seattle1.level3.net = 4.242.156.241, timestamp: 12/5/04, 8:31:58 PM

dialup-4.242.144.78.dial1.seattle1.level3.net = 4.242.144.78, timestamp: 12/5/04, 8:31:08 PM

dialup-4.242.168.10.dial1.seattle1.level3.net = 4.242.168.10, timestamp: 12/5/04, 8:29:50 PM

dialup-4.243.55.185.dial1.seattle1.level3.net = 4.243.55.185, timestamp: 12/5/04, 8:27:13 PM

dialup-4.242.153.186.dial1.seattle1.level3.net = 4.242.153.186, timestamp: 12/5/04, 8:24:36 PM

dialup-4.242.48.108.dial1.seattle1.level3.net = 4.242.48.108, timestamp: 12/5/04, 8:21:18 PM

dialup-4.242.33.156.dial1.seattle1.level3.net = 4.242.33.156, timestamp: 12/5/04, 8:21:14 PM

dialup-4.242.213.38.dial1.seattle1.level3.net = 4.242.213.38, timestamp: 12/5/04, 8:20:00 PM

dialup-4.242.195.127.dial1.seattle1.level3.net = 4.242.195.127, timestamp: 12/5/04, 8:17:58 PM

dialup-4.242.108.200.dial1.seattle1.level3.net = 4.242.108.200, timestamp: 12/5/04, 8:15:43 PM

dialup-4.242.33.156.dial1.seattle1.level3.net = 4.242.33.156, timestamp: 12/5/04, 8:15:38 PM

dialup-4.243.44.1.dial1.seattle1.level3.net = 4.243.44.1, timestamp: 12/5/04, 8:15:32 PM

dialup-4.242.72.39.dial1.seattle1.level3.net = 4.242.72.39, timestamp: 12/5/04, 8:15:03 PM

dialup-4.237.227.235.dial1.newyork1.level3.net = 4.237.227.235, timestamp: 12/5/04, 8:10:21 PM

dialup-4.242.153.54.dial1.seattle1.level3.net = 4.242.153.54, timestamp: 12/5/04, 8:09:38 PM

dialup-4.242.153.54.dial1.seattle1.level3.net = 4.242.153.54, timestamp: 12/5/04, 8:09:35 PM

dialup-4.242.9.238.dial1.seattle1.level3.net = 4.242.9.238, timestamp: 12/5/04, 8:07:50 PM

dialup-4.242.171.9.dial1.seattle1.level3.net = 4.242.171.9, timestamp: 12/5/04, 8:07:19 PM

dialup-4.242.239.72.dial1.seattle1.level3.net = 4.242.239.72, timestamp: 12/5/04, 8:06:00 PM

dialup-4.242.239.72.dial1.seattle1.level3.net = 4.242.239.72, timestamp: 12/5/04, 8:05:56 PM

dialup-4.242.48.108.dial1.seattle1.level3.net = 4.242.48.108, timestamp: 12/5/04, 8:05:04 PM

dialup-4.242.216.154.dial1.seattle1.level3.net = 4.242.216.154, timestamp: 12/5/04, 8:04:35 PM

dialup-4.242.168.71.dial1.seattle1.level3.net = 4.242.168.71, timestamp: 12/5/04, 8:04:03 PM

dialup-4.242.6.179.dial1.seattle1.level3.net = 4.242.6.179, timestamp: 12/5/04, 8:03:32 PM

if i switch to LINUX - will this problem go away? 18.Dec.2004 22:43

Enquiring mind

I hear that there are less virus types directed against both Apple and LINUX opperating systems. Is it also true for Spyware?

A good source of information for Windoze users 19.Dec.2004 00:29

Skeptic

Check out the Shields Up! section at Gibson Research:  http://www.grc.com . There's info there about how to shut off the more hazardous "services" that Windows boxes often have running, and a step-by-step guide to "disconnecting" NETBIOS (if your firewall shows connection attempts on ports 137-139 or 445, it's most likely a port scanner looking for someone with NETBIOS exposed. Of course, if you're already running a firewall that catches these, it's most likely blocked them already.).

There are also a couple of handy utilities for disabling the dangerous Windows DCOM feature (which is what port scanners probing TCP port 135 are probably looking for) :  link to www.grc.com .

As for the question about security and other OSes, the vast majority of viruses, spyware, exploits etc. are designed to afflict Windows computers. One reason for this is sort of ecological: an environment with a large population of a particular organism is likely also to support a large population of parasites adapted to living off those organisms. Since there are so many Windows boxes around, they provide the biggest available population to infect or exploit.

Another reason is that Windows and its companion Web browser and email client have historically been chock full of exploitable security holes.

You can avoid most of the Windows-associated nasties simply by ditching Internet Exploder and Outlook Express in favor of a different browser (Firefox and Opera are both considerably superior to IE in this respect) and a different email client (preferably one which is not HTML-enabled).

As long as Micro$oft clings to the concept of Frankensteining a browser using code modules that belong to the operating system, IE will be full of vulnerabilities and the potential consequences of these vulnerabilities will be serious.

Changing to another OS neatly sidesteps the problem of nasties aimed at Windows boxes. If the OS you're looking at is one you're comfortable with using, has decent tech support available and a base of available applications that meet your particular needs, then by all means go for it.

Of course, if another system ever achieves the market dominance that Windows has, the writers of bad shit will start targeting it...

Oh, and those IPs in the OP are pretty much all either dial-up or DSL hosts- the computers that an ISP's users connect to when they go online. That's an indication that the probes are coming from user's computers, not that Level 3 or Verizon or whoever the ISP or backbone provider might be is responsible. If these probes are attempting to access RPC services, the odds are that you're seeing computers infected with a network-aware worm which is trying to spread.

If the incoming messages are TCP, the source IPs are probably accurate. It's possible to spoof them, but doing so breaks the handshaking scheme necessary to a successful TCP connection.

Uncanny prediction! 22.Dec.2004 14:33

Bison Boy beartruth@softhome.net

"Now, there may be some people who post a comment to this article stating I don't know what I am talking about, but you have to understand one very important thing here, I have been using computers and online for 8 years being active in speaking out against the replugican party ever since signing on with aol (wish is another subject I could write about later) using a 3 watt bag phone to where I am today."

Or, to put it another way, "Some people may claim that I don't know a darn thing about oranges, but I've been eating lemons for 8 years and speaking out about broccoli ever since I discovered tree fruit."

Yeah.

A google search for "tcp port 135" ( http://www.google.com/search?q=tcp+port+135) reveals on the first result that the Nachi or MSBlast worms attack TCP port 135. Eight years of experience eclipsed by 30 seconds at Google. Sad, really. :-/

The hits seen in the log are most likely due to infected computers probing for hosts with vulnerabilities at port 135. There's no reason to suppose that it is a specifically-targeted attack. Nor is there reason to care about the attacker's motivation, or even humanity. They are entirely irrelevant. The port needs to be closed or defended no matter what the attacker is.

Accept that your Windows computer is not secure from internet attacks. Consider changing to a free OS. Put your home network behind a trusted hardware firewall and forget about port probes.

I have dispensed a good deal of free computer security advice on PIMC already. See my post here for more details:  http://portland.indymedia.org/en/2003/12/276662.shtml

If any reader wants more specific advice, I now offer consultation services to address your particular needs. I offer 15 watt, OpenBSD-based firewalls for hardware cost plus my time, or approximately $500. My hourly rates are reasonable, I use BSD or GPL licensed software whenever possible, and I prefer to educate my customers to maintain their own equipment rather than provide ongoing support. E-mail me for more information.

Could be spam. 22.Dec.2004 15:27

D man

Or government watch dogs.
Either way you should use a good firewall and registry protection software.

I get this garbage all the time.

If your computer starts to act strange, reload your registry.

 http://smb.sygate.com/products/spf_standard.htm
 http://reviews.cnet.com/Spybot_Search_and_Destroy/4505-9241_7-20848563.html


OrgName: Internet Assigned Numbers Authority
OrgID: IANA
Address: 4676 Admiralty Way, Suite 330
City: Marina del Rey
StateProv: CA
PostalCode: 90292-6695
Country: US

NetRange: 10.0.0.0 - 10.255.255.255
CIDR: 10.0.0.0/8
NetName: RESERVED-10
NetHandle: NET-10-0-0-0-1
Parent:
NetType: IANA Special Use
NameServer: BLACKHOLE-1.IANA.ORG
NameServer: BLACKHOLE-2.IANA.ORG
Comment: This block is reserved for special purposes.
Comment: Please see RFC 1918 for additional information.
Comment:
RegDate:
Updated: 2002-09-12

OrgAbuseHandle: IANA-IP-ARIN
OrgAbuseName: Internet Corporation for Assigned Names and Number
OrgAbusePhone: +1-310-301-5820
OrgAbuseEmail:  abuse@iana.org

OrgTechHandle: IANA-IP-ARIN
OrgTechName: Internet Corporation for Assigned Names and Number
OrgTechPhone: +1-310-301-5820
OrgTechEmail:  abuse@iana.org

# ARIN WHOIS database, last updated 2004-12-21 19:10
# Enter ? for additional hints on searching ARIN's WHOIS database.

The government has been jamming my computer for awhile now giving me viruses too 02.Mar.2006 06:33

Joey Jaworski izzohardman@hotmail.com

Dear Portland Media,

the government has been spying on me probably over 2 years now. They have infected my computer with vuruses and have done everything that you mention about kncking me off the internet, hijacking my connection, redirecting it to military networks. Its scary. I am just average man not a terroist. I have some computer and military background. I don't care for republicans either. I think they are straight evil. They are fooling many people unfortunately.

I have tried to report whats been going on with my taped phone line and computer to everyone from FBI to state police and senators. But I have to remeber that the government is behind this. It seems as if everyone these days is in a fog and they don't care. Seems like the country was silently taken over by communists. Nobody gets back to me from the many I contacted by phone.

I have many logs that prove the government is behind this. People think there is something wrong with me but my training and expertise tell me I am right unfortunately.

Joey Jaworski

Joey! 05.Mar.2006 05:45

Secret Service Agent usss@secretservice.gov

Joey,

we are watching you.


Regards,
USSS

http://www.secretservice.gov/
202.406.5800
245 Murray Drive, Building 410, Washington, DC 20223

Joey, you're an idiot. 22.Jul.2006 10:10

Dr. S

If the government wanted to surveil you, you wouldn't know. If they wanted you dead, you would just up and disappear, I'm sure. That's why we pay taxes, ya know?

Your problem is spyware, not spooks. Consider a Mac or something.

"TEH GOVARMINT GAVE ME A VIRUS!!11!!one!!"

Heh.